Using virtual domain name service (DNS) zones for enterprise content delivery

ABSTRACT

A domain to be published to an enterprise ECDN is associated with a set of one or more enterprise zones configurable in a hierarchy. When a DNS query arrives for a hostname known to be associated with given content within the control of the ECDN, a DNS server responds by: (a) handing back an IP address, e.g., for an ECDN intelligent node that knows how to obtain the requested content from a surrogate or origin server; (b) executing a zone referral to a next (lower) level name server in a zone hierarchy, or (c) CNAMing to another hostname. In the latter case, this new CNAME causes the resolution process to start back at the root and resolve a new path, probably along a different path in the hierarchy. At any particular level in the zone hierarchy, preferably there is an associated zone server. That server executes logic that applies the requested hostname against a map that may be generated from given performance metrics. Thus, a given name query to ECDN-managed content may be serviced in coordination with various sources of distributed network intelligence.

This application is based on and claims priority from ProvisionalApplication Ser. No. 60/262,171 filed Jan. 16, 2001.

BACKGROUND OF THE INVENTION

1. Technical Field

The present invention relates generally to content delivery andmanagement within a private enterprise network.

2. Description of the Related Art

It is well-known to deliver digital content (e.g., HTTP content,streaming media and applications) using an Internet content deliverynetwork (ICDN). A content delivery network or “CDN” is a network ofgeographically distributed content delivery nodes that are arranged forefficient delivery of content on behalf of third party contentproviders. A request from a requesting end user for given content isdirected to a “best” replica, where “best” usually means that the itemis served to the client quickly compared to the time it would take tofetch it from the content provider origin server.

Typically, a CDN is implemented as a combination of a content deliveryinfrastructure, a request-routing mechanism, and a distributioninfrastructure. The content delivery infrastructure usually comprises aset of “surrogate” origin servers that are located at strategiclocations (e.g., Internet network access points, Internet Points ofPresence, and the like) for delivering copies of content to requestingend users. The request-routing mechanism allocates servers in thecontent delivery infrastructure, to requesting clients in a way that,for web content delivery, minimizes a given client's response time and,for streaming media delivery, provides for the highest quality. Thedistribution infrastructure consists of on-demand or push-basedmechanisms that move content from the origin server to the surrogates.An effective CDN serves frequently-accessed content from a surrogatethat is optimal for a given requesting client. In a typical CDN, asingle service provider operates the request-routers, the surrogates,and the content distributors. In addition, that service providerestablishes business relationships with content publishers and acts onbehalf of their origin server sites to provide a distributed deliverysystem. A well-known commercial CDN service that provides web contentand media streaming is provided by Akamai Technologies, Inc. ofCambridge, Mass.

Enterprises have begun to explore the desirability of implementingcontent delivery infrastructures to address several problems. Currently,enterprise users typically experience slow and expensive access toInternet content. Slow access to business critical data available on theInternet hurts productivity, and the cost of providing good access,e.g., by building bigger networks and by deploying and managing cachinginfrastructure, is large. In addition, many IT organizations cannotdeliver the required quality of service for Internet content deliverydue to lack of talent and expertise. Yet another reason corporations areexploring CDNs is because of the slow, expensive and often cumbersomeaccess to and within the entity's intranet. As corporate intranetsquickly become a critical component of business process in many largecompanies, fast and efficient access to the data and applications on theintranet is a high priority for many IT departments. Nevertheless,current intranet delivery solutions are inadequate, and solving theproblems, e.g., by building bigger internal networks, deploying andmanaging caches, and distributing application front ends, is extremelyexpensive. To address these deficiencies, several large software vendorsare attempting to build ecosystems to provide web-based front ends tomany enterprise applications, however, distributing these applicationfrom front ends efficiently, in of itself, will be a critical IT problemthat current technologies do not address. Finally, enterprises areconsidering CDN technology due to slow, expensive access to businesspartner applications and information provided by current techniques andsolutions. Business-to-business applications (such as ordering,inventory, and pricing management) between business partners is donetoday by linking partners with a physical network. These applicationsare moving to the Internet/intranet, and the need to link businesspartners together in an efficient way with web-based front ends isanother critical IT problem that is not addressed by today's solutions.

BRIEF SUMMARY OF THE INVENTION

It is a general object of the invention to define and implement one ormore virtual zones within an enterprise namespace to facilitateenterprise content delivery behind a corporate firewall.

It is another general object of the present invention to provide anenterprise content delivery network that coexists with existing or“legacy” Domain Name Service (DNS) infrastructure to facilitate mappingof requests for enterprise resources to surrogate servers, e.g., commoncaching appliances, application servers, distributed storage anddatabase management systems, and streaming media servers.

It is yet another general object of the invention to define andimplement one or more so-called “virtual” zones within an enterprisenamespace to facilitate content delivery behind a corporate firewallover an enterprise content delivery network (ECDN).

Another object of the present invention to enable an ECDN DNS to coexistwith an existing enterprise DNS and to enable content delivery with onlyminimal configuration changes to the existing infrastructure usingvirtual zones. A given host or sub-domain to be published to the ECDN isaliased into a virtual zone namespace preferably using a DNS CanonicalName (CNAME).

A still further object of the invention is to implement an enterprisecontent delivery network wherein any arbitrary hierarchical namespacecan be implemented and wherein each layer of the namespace inherits thenamespace above.

According to the invention, a domain to be published to an enterpriseECDN is associated (either by static configuration or dynamically) witha set of one or more enterprise zones configurable in a hierarchy. Whena DNS query arrives for a hostname known to be associated with givencontent within the control of the ECDN, a DNS server preferably respondsin one of three (3) ways: (a) handing back an IP address, e.g., for anECDN intelligent node that knows how to obtain the requested contentfrom a surrogate or origin server; (b) executing a zone referral to anext (lower) level name server m a zone hierarchy, or (c) CNAMing toanother hostname, thereby essentially restarting the lookup procedure.In the latter case, this new CNAME causes the resolution process tostart back at the root and resolve a new path, probably along adifferent path in the hierarchy. At any particular level in the zonehierarchy, preferably there is an associated zone server. That serverpreferably executes logic that applies the requested hostname against amap, which, using known techniques, may be generated from given (static,dynamic, internally-generated or third party-sourced) performancemetrics. Thus, a given name query to ECDN-managed content may beserviced in coordination with various sources of distributed networkintelligence. As a result, the invention provides for a distributed,dynamic globally load balanced name service.

According to a more specific aspect of the invention, a domain to bepublished to the ECDN is associated (either by static configuration ordynamically) with a set of one or more enterprise zones configurable ina hierarchy. When a request for content is received from a given clientin the enterprise (or otherwise accessible through the firewall), a namequery to the enterprise's legacy DNS is directed to the configured ECDNzone primary server. This primary ECDN zone server associates, andrelays via CNAME, a name query with an ECDN intelligent node (orresolves directly to a given content origin server). This associationmay be based on given conditions within the network, server loadconditions, or some combination of various known metrics. With ECDNvirtual zones, maps that associate a given request to a server may belocal or global, static or dynamic. While the maps typically aregenerated within the ECDN infrastructure, they could also be affected beexternal agents providing hints or modifications. If multiple zones areused in a hierarchy, a first level ECDN zone server directs the namequery to a second level ECDN zone server, and so on, until theappropriate response is generated. At any one level the particular zoneserver need not be able to resolve the entire name; rather, theparticular zone server need only be able to resolve the portion requiredfor directing the next level of resolution. For example: the zone serverfor the namespace containing b in the hostname a.b.c.d.e may have noidea where the final resolution will end up, but it should know whichset of servers maybe authoritative for the namespace containing c.Because DNS readily allows one to “carve out” zones in the namespace ofa particular domain (e.g., ecdn.company.com can be managed by adifferent authoritative DNS server than the rest of company.com), thecreation of the first level ECDN zone on the existing DNS infrastructureallows the two systems to coexist and undergo modification in parallelwithout interference with one another. This enables the presentinvention to be readily integrated into an existing or legacy DNSsolution with minimal reconfiguration.

Thus, according to the invention, an existing DNS infrastructure isaugmented with one or more ECDN zone servers, and requests for contentto be delivered over the ECDN are resolved through the one or more zoneservers. In one embodiment, this function is achieved by identifying agiven enterprise domain to be published to the ECDN, and having anetwork administrator (or a person acting on the administrator's behalf)modify an existing DNS name record for that enterprise domain. In thisembodiment, the administrator CNAMEs the enterprise domain to a domainidentified by a so-called “virtual zone” that is managed on an ECDN zoneserver (and, thus, forms part of the ECDN). In particular, this processenables the enterprise domain to be managed (by the enterprise or athird party acting on the enterprise's behalf) as part of the ECDN,typically by the ECDN zone server on one of the intelligent nodes (orsome other machine, such as a client name server). A similar process isrepeated for every new domain or subdomain being distributed by theECDN. Any client downloading a URL referring to the enterprise domainthen gets directed to the ECDN zone server, which directs the client toan ECDN intelligent node. The client passes a host header to the ECDNnode to identify the actual host.

The foregoing has outlined some of the more pertinent features of thepresent invention. These features should be construed to be merelyillustrative. Many other beneficial results can be attained by applyingthe disclosed invention in a different manner or by modifying theinvention as will be described.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an enterprise in which the inventiveenterprise content delivery network (ECDN) may be implemented;

FIG. 2 is another enterprise environment in which the present inventionmay be implemented;

FIG. 3 illustrates a known technique for handling a request for contentin an enterprise using a legacy DNS infrastructure;

FIG. 4 illustrates a technique for enterprise content delivery usingvirtual DNS zones according to the present invention;

FIG. 5 illustrates a representative DNS namespace in which an enterprisevirtual zone is created according to the present invention;

FIG. 6 illustrates a zone hierarchy in which first and second level ECDNzone servers are used to resolve a name query to an enterprise domainthat has published to the ECDN; and

FIG. 7 illustrates a technique for dynamic zone creation through anagent-hinted CNAME according to the present invention; and

FIG. 8 illustrates a technique for using virtual zones to enable anenterprise partner to access an enterprise ECDN to retrieve intranetcontent.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention is implemented within an “enterprise” or“enterprise environment.” Referring to FIG. 1, a representativeenterprise environment in which the present invention is implementedcomprises at least one primary central office 100 (e.g., with central ITsupport), which is connected to one or more regional datacenters 102,with each datacenter connected to one or more remote branch offices 104via private line, or via the public Internet (most likely with a virtualprivate network or “VPN”). The branch offices 104 may be fully (orpartially) meshed amongst themselves. FIG. 2 illustrates anotherenterprise computing environment that includes a central office 200 anda pair of remote offices 202. As shown in FIG. 2, remote office 202 a isconnected to the central office 200 over a private line, which refers toa line not generally routable over the public Internet (e.g., framerelay, satellite link, microwave link, or the like), and remote office202 b is connected to the central office 200 over a virtual privatenetwork (VPN) typically over the public Internet, or in other knownways. A given remote office may be an office of an enterprise businesspartner if an appropriate business relationship between the enterpriseand the partner exists. Enterprise networks are generally based on oneof two network types—point-to-point private/leased line, or VPN overpublic lines (often fully meshed between offices). From a topologicalview, actual enterprise networks may not operate in a hierarchical sensefor connectivity. From a logical management view, however, the serversremain in a relatively weak hierarchy (as illustrated in either FIG. 1or 2) with more valuable and management intensive systems usuallyexisting at more centralized data centers, and very few of these typesof systems being deployed in remote branched offices. This architectureis usually a function of where information and management reside, whichdrives the cost of management for the overall IT network and ITservices. Thus, for example, in the more complex enterprise such asshown in FIG. 1, regional datacenters tend to have more criticalinformation than branch offices, and the central office tends to havethe most critical information. It is assumed for purposes ofillustration that the enterprise hosts given internal content that itdesires to have stored, cached and delivered to end users in theenterprise. Such internal enterprise content, or ECDN content, generallyis non publicly-available content (in whatever format) that anenterprise desires to make available to permitted users within theenterprise or within a third party partner of the enterprise. An enduser typically operates a computer having an Internet browser. Theauthoritative content and application servers 106 (in FIG. 1) and 206(in FIG. 2) being published into the CDN (each identified here as an“ECDN server”) can exist in any location, although from a practicalperspective they may often be somewhat centrally-located. Such serversare sometimes referred to an origin servers. The enterprise is alsoassumed to be IP based and to have a Domain Name Service (DNS) 108 (inFIG. 1) and 208 (in FIG. 2). From a: security standpoint, the enterprisenetwork manager roughly divides the world of the network into trustedand un-trusted, which usually corresponds to internal and externalentities. Firewalls 110 (in FIG. 1) and 210 (in FIG. 2) are typicallyconfigured to allow most outbound traffic, with severe restrictions oninbound traffic. This allows for access to requested services withoutproviding third parties a foothold for intrusion. More sophisticatedsystems usually create an security entity called a DMZ, which can bethought of as a set of two firewalls, with certain assets like email,DNS, web servers, etc. sitting between them. Each firewall has adifferent set of filtering rules, with the innermost generally allowingvalid traffic from a host within the DMZ to enter the enterprise.Generally, no externally initiated traffic is allowed to pass both setsof filters.

For purposes of illustration, an enterprise content delivery network(ECDN) is provisioned into the enterprise network topology of FIG. 2.The ECDN may be implemented in a standalone manner, or it may be part ofa larger Internet CDN, in which case the Internet CDN service providermay manage the ECDN on behalf of the enterprise. Various techniques forextending an ICDN into an enterprise are described in U.S. Pat. No.7,096,266, which patent is commonly-owned and which is incorporatedherein by reference. Referring back to FIG. 2, ECDN functionality isprovided by locating one or more intelligent nodes (each referred to asan IN) that execute appropriate management, provisioning, monitoring androuting applications to facilitate the distribution, delivery andmanagement of the private enterprise content delivery network. Thus, forexample, an IN 212 a may be located in the central office 200 and eachof the remote offices may include an IN box 212 b as indicated. An INbox 212 is typically a computer, namely, a server, having at least onePentium-class processor, an operating system (e.g., Linux, Windows NT,Windows 2000, or the like), and some amount of disk storage and systemmemory. Using the IN boxes, the enterprise (or the CDNSP on its behalf)has the ability to map and load balance users inside the enterprise(perhaps as part of the global ICDN), to fetch content from inside thefirewall, to collect log information, to deploy software, to distributelive streams, and to provide other ICDN functionality.

Thus, an illustrative enterprise CDN (“ECDN”) is comprised of a varietyof origin and surrogate servers and a distributed set of intelligencenodes (IN). An origin server can be any server that is intended torespond to a user request for information and includes, for example,common caching appliances, application servers, distributed storage anddatabase management systems, and streaming media servers. Theintelligence nodes tie the entire set of distributed nodes and servicesinto a single, virtual service cloud. The ECDN intelligence nodes mayhave different configurations. Thus, for example, a first type (e.g., IN212 a in central office 200) may be sized (in terms of processing powerand memory) for the largest datacenters, and such machines would beaggregation points for monitoring, logging, management and requestrouting. A second type of intelligence node (e.g., IN 212 b) may besized for branch office deployment, and such servers would be sized tooptimize local behavior. The nodes may be placed in a hierarchy with anIN of the first type acting as a parent. An intelligence node of thesecond type would typically include a caching engine.

Architecturally, an ECDN such as illustrated above is similar to anInternet content delivery network (ICDN) and comprises: HTTP, streamingand DNS server nodes deployed across a customer network. Generalizing,the ECDN provides the enterprise with the following: a namespace and anassociated request routing mechanism (to control how to navigate theCDN), storage, caching and streaming (to control how and where areobjects stored and distributed), optionally an application environment(to facilitate application extensibility), management and provisioning(to control how the CDN is deployed and managed), and reporting/auditing(to provide visibility into the behavior). An ECDN such as describedabove provides an application, streaming and content delivery platformso that enterprise content may be delivered and managed in adecentralized fashion while providing a tightly-integrated solution witha customer's storage, network, application and management solutions.

Enterprises today either outsource their Domain Name Service (DNS) or,as described above, run a DNS infrastructure (e.g., one or more DNSservers). A DNS namespace has certain characteristics, as arewell-known. Each unit of data in a DNS distributed database is indexedby a hostname. These names are simply leaves in a tree representation,which is often called a domain namespace. Each node in the tree islabeled with a simple name. The fully qualified hostname of any node inthe tree is the sequence of labels on the path from that node to theroot. A zone is a subtree of the domain name space. Names at the leavesof the tree generally represent individual hosts, whose names resolve toone or more IP addresses. It has become common in instances of virtualhosting within ISPs to have multiple customers share a single machine,therefore having multiple hostnames resolve to a single machine orserver farm. CDN technology to date has additionally made it common fora single hostname to potentially resolve to any one of thousands ofmachines, though at any given time the set of possible hostnames isconfigured and fixed. The term zone usually relates to a set of hostswithin a single authoritative server's namespace, whereas a single zonecould include multiple sub-domains. Thus, e.g., if foo.com andeng.foo.com are both handled by the same nameserver, they are both inthe same zone; but, if foo.com's nameserver refers a lookup to adifferent authority for resolution, they would be considered separatezones.

An organization administrating a domain can divide it into subdomains.Each of those subdomains can be delegated to other organizations, inwhich case the organization receiving the delegation becomes responsiblefor maintaining all the data in that subdomain. The machines or programsexecuting on those machines that store information about the domainnamespace are often called name servers. Name servers generally havecomplete information about some part of the domain namespace, namely, azone. In such case, the name server is then said to have authority forthat zone. A name server can also maintain cached information—ornon-authoritative information, which is obtained by communicating withan authoritative name server. A zone contains the domain names and datathat a domain contains, except for domain names and data that aredelegated elsewhere. If a subdomain of the domain has not beendelegated, the zone also contains the domain names and data in thesubdomain.

For purposes of the present invention, it is assumed that the enterpriseoperates (or has operated) DNS servers, that those servers manage dataheld in zones, and that each zone is a complete database for aparticular “pruned” subtree of the domain space. As noted above, thezone data is authoritative, in that it contains an accurate (typically,the most accurate) representation available for a particular set ofhostnames. At least one host in the enterprise stores enterprise contentthat the enterprise desires to make available to permitted end users(enterprise or partner employees). The enterprises use the existing DNSinfrastructure to resolve client requests for content at that host. FIG.3 illustrates the known prior art. In this example, it is assumed thatthe user desires to retrieve the enterprise internal homepage, which isa page located, in this example, at hr.company.com/homepage.html. Tothis end, the user, or client 300, interacts with DNS via a resolver302, typically residing on the same machine. As is well-known, aresolver is a client process that accesses a name server. Programsrunning on a host that need information from a domain name space use theresolver. In DNS BIND, for example, the resolver is a set of libraryroutines that query a name server, interpret responses, and return theinformation to the program/process that requested it. Thus, withreference to FIG. 3, the resolver 302 interacts with the enterprise nameserver 304 to resolve client queries, which are then returned to theclient. In the example shown in FIG. 3, the client resolver 302 makes aDNS request (in this example “who is hr.company.com”) to the corporateDNS name server 304, which returns a reply with an actual IP addressy.y.y.y of the host on which the document is stored. The client resolver302 then uses a DNS A record to build a connection to the actual webserver 306, and issues an appropriate HTTP request to the web server 306(e.g., via a GET hr.company.com/homepage.html). The web server 306responds with the content reply to complete the request.

According to the invention, the existing DNS infrastructure is augmentedwith one or more ECDN zone servers, and requests for content to bedelivered over the ECDN are resolved through the one or more zoneservers. In the simplest embodiment, this function is achieved byidentifying a given enterprise domain to be published to the ECDN, andhaving a network administrator (or a person acting on theadministrator's behalf) modify an existing DNS name record for thatenterprise domain. In this embodiment, the administrator CNAMEs theenterprise domain to a domain identified by a so-called “virtual” zonethat is managed on an ECDN zone server (and, thus, forms part of theECDN). In particular, this process enables the enterprise domain to bemanaged (by the enterprise or a third party acting on the enterprise'sbehalf) as part of the ECDN, typically by the ECDN zone server on one ofthe intelligent nodes (or some other machine, such as a client nameserver). A similar process is repeated for every new domain or subdomainbeing distributed by the ECDN. Any client downloading a URL referring tothe enterprise domain then gets directed to the ECDN zone server, whichdirects the client to an ECDN IN. The client passes a host header to theECDN IN to identify the actual host.

FIG. 4 illustrates an embodiment of the present invention. DNS requeststypically occur over UDP, while HTTP requests typically occur over TCP.The enterprise is identified as “akamai” for illustrative purposes only.In this example, the client resolver 402 makes a DNS request for“hr.akamai.com” (step (1)) to the configured name server 404. This nameserver may be part of the legacy DNS infrastructure, as described above.This same name server 404 (running a suitable DNS BIND version) looks uphr.akamai.com and sees that the hostname resides within the zoneconfigured to be within the ECDN (potentially after first resolving aCNAME from hr.akamai.com to itself for hr.ecdn.akamai.com). At step (3),the query is then referred to an ECDN name server 406, with the ECDNname server being configured to be authoritative for the ecdn.akamai.comzone. Some of the steps are compressed in the figure for clarity. Atstep (4), the ECDN zone server 406 could do one of three things: replywith an IP address x.x.x.x, pass the query to a different zone forhr.ecdn.akamai.com, or CNAME the request to a different hostname alltogether (restarting this process). In the drawing, the ECDN zone serverhas returned the IP address. Thus, at step (5), the client makes an HTTPrequest to the ECDN IN 408 at IP address x.x.x.x with a host header:identifying the host hr.akamai.com. At steps (6), (7) and (8), the ECDNcontent server, handles the HTTP portion of the request in the standardfashion for a surrogate. The content is served from the origin server406.

The technique shown in FIG. 4 provides significant advantages. Accordingto the invention, when a DNS query arrives for a hostname known to beassociated with given content within the control of (i.e., managed by)the ECDN, the DNS server that receives the query preferably responds inone of three (3) ways: (a) handing back an IP address, e.g., for an ECDNintelligent node that knows how to obtain the requested content from asurrogate or origin server (as illustrated in FIG. 4); (b) executing azone referral to a next (lower) level in a zone hierarchy (as defined instandard DNS), or (c) CNAMing to another hostname, thereby essentiallyrestarting the lookup procedure. This new CNAME cause the resolutionprocess to start back at the root and resolve a new path, probably alonga different path in the hierarchy. At any particular level in the zonehierarchy, there is preferably an associated zone server. Zone serversmay operate on the same machines but typically have different IPaddresses. Each zone server preferably executes logic that applies therequested hostname against a map which, using known techniques, may begenerated from given (static, dynamic, internally-generated or thirdparty-sourced) performance metrics. Thus, a given name query toECDN-managed content maybe serviced in coordination with various sourcesof distributed network intelligence. As a result, the invention providesfor a distributed, dynamic globally load balanced name service for anenterprise CDN.

From a logical view, hierarchical DNS zones for resolving a particularquery within a content delivery network are represented according to thepresent invention as illustrated in FIG. 5. In this example, it isassumed that an Internet CDN service provider operates over a namespacethat is referred to as “akamai.” This namespace includes a subdomain of*.ecdn.akamai.com, which, as noted above, is the virtual zone. In thisexample, the CDNSP manages the zone on the enterprise's behalf. In anormal name query, a request for foo.akamai.com returns some IP address,which is normally fixed. With web hosting, as is well-known, virtualhostnames are often used to allow a single address to handle multiplehostnames. For load balancing, a round robin technique is often used,allowing for one name to be spread across multiple addresses. Forvirtual zones, preferably there is a many-to-many mapping. Inparticular, one hostname is spread across a mesh of servers, and oneserver may handle any number of hostnames. Thus, for example, in asimple case, one could create three (3) hostnames (x, y, and z) and havefour (4) servers (having IP addresses: 1.1.1.1, 1.1.1.2, 1.1.1.3,1.1.1.4). Any hostname query could resolve to any server address, givingtwelve (12). combinations of responses to any particular query. Thus,when the server for this virtual zone gets a request, it replies withany of the 12 possible addresses, although significant performanceadvantages could be gained if it were to use a more intelligentapproach. In particular, it is also well-known, that geographical andtopological location information can be used to send clients to theclosest address, and server load can be accounted for as well to try andoptimize client response times. A combination of these (with otherfactors) can be used to determine the best server for handling aparticular request.

As described above, so-called Canonical Name (CNAME) records define analias for an official hostname and are part of the DNS standard. Ingeneral, CNAMEing may be thought of as a means for DNS redirection of aclient query. As illustrated above, DNS virtual zones and CNAMEs areused with standard surrogate servers to manage ECDN content in a givenenterprise.

The CNAME technique may be implemented any number of arbitrary times,while zone referral preferably occurs hierarchically. Generalizing,according to the invention, a given domain may be of the form“*.zone2.zone1.enterprise.com” where “zone1” represents a first or “top”level ECDN zone, “zone2” represents a second or “lower” level ECDNsubzone of the top level zone, and so forth. As indicated in FIG. 6, afirst level ECDN zone server 600 would handle top level resolutions, andone or more second level ECDN zone servers 602 would handle the nextlevel resolutions, and so forth. The wildcard “*” in the above exampleindicates that further zone levels may be provided as well, with eachlevel of the zone hierarchy then inheriting the namespace of the levelsabove it. Thus, the “virtual” nature of the invention is due to the factthat at no time is there necessarily a fixed set of possiblehostnames—they may be, and most likely are, produced on-the-fly. Thus,for example, if the enterprise uses an Oracle database for storingfinancial data, the network administrator may generate domains such as“financials.ecdn.company.com,” while the ECDN itself may be creatingobjects like “component.oracle.financials.ecdn.company.com,” or“a.b.c.oracle.financials.ecdn.company.com” etc. Continuing with thisexample, if a particular ECDN zone server is provided with a name itdoes not fully recognize, it resolves that portion that it canrecognize. Thus, while a first-level ECDN DNS server might do a roughcut of performance and refer a request to another zone, the next zonemay have a finer grain metric used for next step resolution.

According to the invention, and as illustrated in FIG. 6, assume thatgiven enterprise content has been published to the ECDN and, inparticular, to be managed by a second level zone server“hr.ecdn.akamai.com.” In this example, a request for resolution ofhr.akamai.com is first directed (through a CNAME) to the ecdn.akamai.comtop level zone server 600, which then redirects the request (againthrough a CNAME) to one of the hr.ecdn.akamai.com second level zoneservers 602; The second level name servers may be load balanced, e.g.,based on network information collected at the zone server pair aboutconnectivity between the remote office and possible locations of thebackend servers that host the desired content, as well state informationabout the load on those servers. The second level name server returnsthe IP address of an optimal backend server based on the availablemetrics (e.g., server load, network connectivity, etc.). The use ofhierarchical zones in this manner enables the enterprise to build andmaintain more relevant “local” information about how client requestsshould be mapped, thus obviating the building, maintenance and deliveryof enterprise-wide request routing maps.

According to another feature of this invention, a software agent isexecuted in or in conjunction with a DNS server to create “zones”dynamically. In this approach, the agent, in effect, provides hints tothe enterprise DNS name server as to which enterprise domains would bebeneficially cached, as well as the addresses of near-by (local) ECDNintelligent nodes. FIG. 7 illustrates the agent-hinted CNAME technique.To create such as agent, the enterprise may keep a lightweight historydatabase within a DNS server, recording usage patterns of A (address)record lookup requests. Building heuristics around access patterns orlooking for high or relatively increased lookups on a per domain basismight provide candidate hostnames. This would identify high usage HTTPsites. The hints might also come from firewalls, third party updates,in-line L4 switches, or from some other entity listening on port 80(e.g., perhaps via an egress switch SPAN port). When a domain isidentified as potentially interesting from a usage perspective, insteadof returning the address of the actual domain, the address of a nearbyECDN IN may be substituted dynamically. After traffic dies down, theaddress could revert back to standard behavior. Thus, if the “hot”domain is “hr.akamai.com,” the DNS name server dynamically CNAMEs thedomain to the local ECDN zone server “ecdn.akamai.com” as needed. Alltraffic to the hr.akamai.com would then get sent to the close-by ECDN INfor handling. Agent interaction may be accomplished as a server plugin,through WCCP 2.0 transparent interception of DNS traffic, promiscuousDNS port snooping (SPAN mode), or providing an augmented DNS nameserver. An interface may be provided to notify the agent that all*.ecdn.enterprise.com servers are part of the ECDN and should be senttowards the appropriate servers.

The present invention provides numerous advantages over the prior art.According to the invention, a domain to be published to the ECDN isassociated (either by static configuration or dynamically) with a set ofone or more enterprise zones configurable in a hierarchy. When a requestfor content is received from a given client in the enterprise (orotherwise accessible through the firewall), a name query to theenterprise's legacy DNS is directed (preferably via CNAME) to a set ofone or more ECDN zone servers. A given ECDN zone server associates aname query with an ECDN intelligent node (or to a given content server).This association may be based on given conditions within the network,server load conditions, or some combination of various known metrics.With ECDN virtual zones, maps that associate a given request to a servermay be local or global, static or dynamic. If multiple zones are used ina hierarchy, a first level ECDN zone server redirects the name query toa second level ECDN zone server, and so on, until the appropriateresponse is generated. ECDN zone servers may reside on the same machineor with existing, DNS infrastructure or other machines in theenterprise. This enables the present invention to be readily integratedinto an existing or legacy DNS solution with minimal reconfiguration.

As described and illustrated above, a given zone may have a sub-zoneand, according to the invention, that sub-zone may be managed by theenterprise or even by a third party such as an Internet content deliverynetwork (ICDN) service provider. As an example of the latter scenario,assume that the enterprise outsources its streaming video delivery tothe ICDN service provider. To this end, a host lookup for, say,allhands.streamingvideo.ecdn.company.com may be configured eitherstatically or dynamically to a zone managed by a CDN overlay network.This has the effect of transparently allowing delivery to be seamlesslytied internally and externally via the same mechanism.

FIG. 8 illustrates another example of how an enterprise may hand offmanagement of a virtual zone to another entity, in this case anenterprise business partner. In this example, producer.com is theenterprise and consumer.com is the enterprise business partner having anend user. Producer.com desires to make given content available to theconsumer.com end user, however, the producer.com namespace on which thecontent is published is not resolvable through public DNS and thedocument is not available publicly. Both producer.com and consumer.comare assumed to have implemented a ECDN system behind each of theirrespective firewalls, and each entity has a private namespace that theyrespectively manage. The goal is to make producer.com's namespaceselectively available to an end user in consumer.com without, at thesame time, exposing producer.com's namespace to the public DNS. EachECDN deploys a relay machine which, preferably, is a combination of asurrogate origin server and an ECDN zone server. Separatemachines/processes may be used, or the processes may be integrated orincluded with other functionality. Preferably, each relay machine islocated within the enterprise DMZ, as illustrated in the drawing. Therelay machine inside consumer.com does not know how to resolve a virtualzone associated with producer.com, but that machine does know that therelay machine inside producer.com's firewall does know how to make sucha resolution. Likewise, the relay machine inside producer.com does notknow how to resolve a virtual zone associated with consumer.com, butthat machine does know that relay machine inside consumer.com's firewallmake know how to make such a resolution. As is well-known, boxes withina DMZ can be selectively allowed to communicate with one another whilefiltering other potentially hostile communications.

Referring back to FIG. 8, assume that the document in question isreferenced within consumer.com by a836.asp.producer.com/object.html. Inthis example, the zone “asp.producer.com” has been designated withinconsumer.com as being owned or managed by relay.consumer.com. Thus,relay.consumer.com will act as a surrogate for that document. When theconsumer.com relay gets the host header a836.asp.producer.com, the relaymachine uses that information to connect to the relay machine inproducer.com. The relay machine in producer.com gets the HTTP requestand it is configured to rewrite any host header (associated witha836.asp.producer.com in this example) to foo.producer.com. The relaymachine at relay.producer.com then acts as a surrogate origin server forthe web server at foo.producer.com, which hosts the document. The webserver then returns the document via the surrogate origin serverrelay.producer.com, and that server rewrites the response header topoint back to itself. The relay machine in producer.com then returns thedata to the relay machine in consumer.com, which performs similarsurrogate processing and returns the document to the requesting enduser. This completes the processing Thus, one of ordinary skill in theart will appreciate that, in this manner, producer.com has handed offmanagement of the relay.producer.com virtual zone to consumer.com. Thisarrangement creates a VPN-like connection between the two namespaces tofacilitate the document sharing. As illustrated, preferably thecommunications between the two relay machines are made over secure linkusing known techniques.

Having thus described my invention, the following sets forth what I nowclaim.

1. A method of content delivery involving a first entity and a secondentity comprising: having each of the first and second entities operatean enterprise content delivery network (ECDN) behind an enterprisefirewall, wherein each of the first and second entities has a privatenamespace that is not resolvable through public Internet DNS; having thefirst entity delegate to the second entity responsibility for managing avirtual zone associated with the private namespace of the first entity;and in response to a request generated by an end user in the secondentity, the request being associated with the virtual zone, retrieving aprivate object published by the first entity.
 2. The method as describedin claim 1 wherein at least one of the enterprise content deliverynetworks is part of an Internet content delivery network (ICDN).
 3. Themethod as described in claim 2 wherein at least one of the enterprisecontent delivery networks is managed as part of the ICDN.
 4. The methodas described in claim 1 wherein the private object is retrieved by arelay located within a demilitarized zone (DMZ) of the second entity. 5.The method as described in claim 4 wherein the relay located within theDMZ of the second entity communicates with a relay located within a DMZof the first entity.
 6. The method as described in claim 5 wherein therelay located within the DMZ of the second entity communicates with theDMZ of the first entity over a secure link.
 7. The method as describedin claim 6 wherein the virtual zone is resolved without reference to thepublic Internet DNS.
 8. The method as described in claim 4 wherein therelay comprises a surrogate origin server and a zone name server.
 9. Themethod as described in claim 1 wherein the first and second entities aredistinct enterprises.
 10. A method of content delivery involving a firstentity and a second entity, comprising: having each of the first andsecond entities operate an enterprise content delivery network (ECDN)behind an enterprise firewall, wherein each of the first and secondentities has a private namespace that is not resolvable through publicInternet DNS; deploying a first relay within the first entity; deployinga second relay within the second entity; having the first entitydelegate to the second entity responsibility for managing a virtual zoneassociated with the private namespace of the first entity; and inresponse to a request generated by an end user in the second entity, therequest being associated with the virtual zone, retrieving a privateobject published by the first entity.
 11. The method as described inclaim 10 wherein each of the first and second relays comprises asurrogate origin server and a zone name server.
 12. The method asdescribed in claim 11 wherein the private object is retrieved by thesecond relay.
 13. The method as described in claim 12 wherein the secondrelay retrieves the private object using the surrogate origin server inthe first relay.
 14. The method as described in claim 10 wherein thefirst and second entities are distinct enterprises.
 15. The method asdescribed in claim 10 wherein the virtual zone is resolved withoutreference to the public Internet DNS.
 16. A method of content delivery,comprising: having an entity establish an enterprise content deliverynetwork (ECDN) behind an enterprise firewall, wherein the entity has aprivate namespace that is not resolvable through public Internet DNS;having the entity receive a delegation of responsibility for managing avirtual zone associated with a private namespace of a second entity,wherein the second entity is distinct from the entity, and wherein theentity receives the delegation from the second entity; and in responseto a request generated by an end user behind the enterprise firewall inthe entity, the request being associated with the virtual zone, havingthe entity retrieve a private object published by the second entity.